Open zouyi73 opened 3 months ago
Hi @zouyi73,
The current version of cpp/use-after-free
only flags up an alert if the use is unconditional following the deallocation, or if the deallocation unconditionally precedes the use. This is done to reduce the amount of results on the query. Eventually, we'd like to expand the coverage of the query.
Hi @zouyi73,
The current version of
cpp/use-after-free
only flags up an alert if the use is unconditional following the deallocation, or if the deallocation unconditionally precedes the use. This is done to reduce the amount of results on the query. Eventually, we'd like to expand the coverage of the query.
@MathiasVP Thanks for your reply! Do you mean (if buffer != NULL) will influence codeql analysis? But when I remove (if buffer != NULL) , the cpp/use-after-free
can not detect the UAF bug immediately(it indeed costs so long time that I cancel its analysis)。I don't know if cross-function call could influece because I write use and free in a function it can detect the bug. Could you explain this? Thank you so much!
I use Use-After-Query.ql to detec a simple c code which exists UAF bug , but it doesn't works
void process_buffer(char *buffer) { if (buffer != NULL) { printf("Processing buffer: %s\n", buffer); } }
void free_buffer(char *buffer) { if (buffer != NULL) { free(buffer); // 释放内存 printf("Buffer freed.\n"); } }
void use_after_free(char *buffer) { // 释放后再次使用内存,存在UAF漏洞 process_buffer(buffer); }
int main() { char buffer = (char )malloc(100); // 分配100字节的内存 if (buffer == NULL) { perror("Failed to allocate memory"); exit(EXIT_FAILURE); }
}